Card reading terminal and working method thereof

ABSTRACT

A card reading terminal. The card reading terminal comprises a receiving module, a first determining module, a first judging module, a first acquiring module, a second determining module, a second acquiring module, a third acquiring module, a first obtaining module, a fourth acquiring module, a first decrypting module, a generating module, a second obtaining module, an updating module, a third obtaining module, a fourth obtaining module, a reading module, a second judging module, an identifying module, a fifth obtaining module, a third judging module, an executing module, a fifth acquiring module, a sixth acquiring module, an encrypting module, a second decrypting module, and a sending module. According to the present invention, communication data between the card reading terminal and a card is secured, and is thus difficult to be intercepted, leaked, or tampered with, such that security is great improved.

TECHNICAL FIELD

The present invention relates to a terminal for reading a card and working method therefor, which belongs to communication security technology field.

PRIOR ART

Cards are widely used everywhere in human life. Because there are many types of cards, the meaning scope of a card reading terminal which supports using a card is wide as well. Generally, a working method of a card reading terminal is: after acquiring a host instruction from a host, the card reading terminal sends the host instruction to the card directly; when receiving a host response returned from the card, the card reading terminal sends the host response to the host; there is no secure processing of communication data between the card reading terminal and the card, therefore the communication data is easily to be intercepted, leaked or tampered and security level is low. In prior art, it requires a card reading terminal and a working method thereof to solve this problem.

SUMMARY OF THE INVENTION

The object of the present invention is to provide a terminal for reading a card and working method therefor, which securely processes communication data between the card reading terminal and the card. Therefore, it is hard to intercept, leak or tamper the communication, which improves security greatly.

Thus, according to one aspect of the present invention, there is provided a working method for a card reading terminal, which comprises the following steps:

-   -   Step S00: when receiving an instruction sent from a host, the         card reading terminal determines type of the instruction, if the         instruction is a secure channel establishing instruction,         execute Step S01, if the instruction is card communicating         instruction, execute Step S04;     -   Step S01, the card reading terminal judges whether a secure         channel is established, if yes, sends information that secure         channel is established successfully to the host, go back to Step         S00, otherwise, execute Step S02;     -   Step S02, the card reading terminal acquires a card parameter of         a card, determines an objective identification according to the         card parameter, acquires a function package corresponding to the         objective identification, acquires original card data; obtains a         derived key according to a preset second parameter package, the         original card data and the function package, acquires cipher         text of random data from the card, obtains card random data;         generates random data package; obtains mapping data package         according to the card random data, the random data package, a         preset first parameter package and the function package; updates         the first parameter package according to the mapping data         package; obtains a session key package according to the random         data package, the updated first parameter package and the second         parameter package; executes Step S03;     -   Step S03, the card reading terminal obtains a terminal         authenticated token according to the session key package and the         function package; reads a card authenticated token from the card         according to the terminal authenticated token, judges whether         the secure channel is established successfully according to the         terminal authenticated token and the card authenticated token,         if yes, identifies that secure channel is established and obtain         a secure session key according to the session key package; sends         information that establishing secure channel is successful to         the host, go back to Step S00, otherwise, sends information that         establishing secure channel is failed to the host, go back to         Step S00, the card reading terminal judges whether the secure         channel is established, if yes, execute Step S05; otherwise,         executes standard communication between terminal and card, go         back to Step S00,     -   Step S05, The card reading terminal obtains card communication         data from the card communicating instruction; obtains a stored         secure session key; uses the secure session key to encrypt the         card communication data to obtain cipher text of the card         communication data, sends the cipher text of the card         communication data to the card; uses the secure session key to         decrypt a cipher text of card communication response sent from         the card to obtain a card communication response, returns the         card communication response to the host, go back to Step S00,         and     -   the working method further comprises: when detecting that the         card leaves the field, the card reading terminal identifies that         the secure channel is not established.

According to another aspect of the present invention, there is provided a terminal for reading a card, which includes a receiving module, a first determining module, a first judging module, a first acquiring module, a second determining module, a second acquiring module, a third acquiring module, a first obtaining module, a fourth acquiring module, a first decrypting module, a generating module, a second obtaining module, an updating module, a third obtaining module, a fourth obtaining module, a reading module, a second judging module, a identifying module, a fifth obtaining module, a third judging module, an executing module, a fifth acquiring module, a sixth acquiring module, an encrypting module, a second decrypting module and a sending module;

-   -   the receiving module is configured to receive an instruction         sent from a host;     -   the first determining module is configured to determine type of         the instruction received by the receiving module;     -   the first judging module is configured to judge whether a secure         channel is established if the first determining module         determines that the type of the instruction is secure channel         establishing instruction;     -   the sending module is configured to send information that secure         channel is established successfully to the host if the first         judging module judges that a secure channel is established;     -   the first acquiring module is configured to acquire card         parameter of a card if the first judging module judges that a         secure channel is not established;     -   the second determining module is configured to determine an         objective identification according to the card parameter         acquired by the first acquire module;     -   the second acquiring module is configured to acquire a function         package corresponding to the objective identification determined         by the second determining module;     -   the third acquiring module is configured to acquire original         card data;     -   the first obtaining module is configured to obtain a derived key         according to a preset second parameter package, the original         card data obtained by the third acquiring module and the         function package acquired by the second acquiring module;     -   the fourth acquiring module is configured to acquire cipher text         of random data from the card;     -   the first decrypting module is configured to obtain card random         data by decrypting the cipher text of random data acquired by         the fourth acquiring module according to the derived key         acquired by the first obtaining module;     -   the generating module is configured to generate random data         package;     -   the second obtaining module is configured to obtain mapping data         package according to the card random data obtained by the first         decrypting module, the random data package generated by the         generating module, a preset first parameter package and the         function package acquired by the second acquiring module;     -   the updating module is configured to update the first parameter         package according to the mapping data package obtained by the         second obtaining module;     -   the third obtaining module is configured to obtain a session key         package according to the random data package, the first         parameter package updated by the updating module and the second         parameter package;     -   the fourth obtaining module is configured to obtain a terminal         authenticated token according to the session key package         obtained by the third obtaining module and the function package         acquired by the second acquiring module;     -   the reading module is configured to read a card authenticated         token from the card according to the terminal authenticated         token obtained by the fourth obtaining module;     -   the second judging module is configured to judge whether the         secure channel is established successfully according to the         terminal authenticated token read by the reading module and the         card authenticated token obtained by the fourth obtaining         module;     -   the identifying module is configured to identify that secure         channel is established if the judging result of the second         judging module is yes;     -   the fifth obtaining module is configured to obtain a secure         session key according to the session key package obtained by the         third obtaining module and store the secure session key if the         judging result of the second judging module is yes;     -   the sending module is further configured to send information         that establishing secure channel is successful to the host if         the fifth obtaining module obtains the secure session key and         stores the secure session key;     -   the sending module is further configured to send information         that establishing secure channel is failed to the host if the         judging result of the second judging module is no;     -   the third judging module is configured to judging whether the         secure channel is established if the first determining module         determines that type of the instruction is card communicating         instruction;     -   the executing module is configured to execute standard         communication between terminal and card if the judging result of         the third judging module is no;     -   the fifth obtaining module is configured to obtain card         communication data from the card communicating instruction;     -   the sixth obtaining module is configured to obtain the stored         secure session key;     -   the encrypting module is configured to use the secure session         key to encrypt the card communication data to obtain cipher text         of the card communication data if the judging result of the         third judging module is yes;     -   the sending module is further configured to send the cipher text         of the card communication data encrypted by the encrypting         module to the card;     -   the second decrypting module is configured to use secure session         key acquired by the sixth acquiring module to decrypt a cipher         text of card communication response sent from the card to obtain         a card communication response;     -   the sending module is further configured to return the card         communication response obtained by the second decrypting module         back to the host; and     -   the identifying module is further configured to identify that         the secure channel is not established when detecting that the         card leaves field.

According to the present invention, there is provided a terminal for reading a card and a method for making a terminal for reading a card; in the claimed method, any communication data between the card reading terminal and the card is transmitted in cipher text via a secure channel, which can avoid that the communication data to be intercepted, leaked or tampered and improves security of communication; meanwhile, it is compatible to a standard card reading process, which has a good generality.

According to the present invention, the communication data between the card reading terminal and the card is processed securely, which is hard to be intercepted, leaked and tampered, so that the security is improved greatly.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flow chart for a working method of a card reading terminal of Embodiment 1 of the present invention;

FIG. 2 and FIG. 3 are flow charts for a working method of a card reading terminal of Embodiment 2 of the present invention; and

FIG. 4 is a block diagram of a card reading terminal of Embodiment 3 of the present invention.

DESCRIPTION OF EMBODIMENTS

In order to make the purpose of this invention, technical solution and advantage are more clearly understood, in conjunction with attached drawings and implementation Examples, the present disclosure will be further described in detail below.

Embodiment 1

Embodiment 1 provides a working method of a card reading terminal, as shown in FIG. 1 , the method includes the following steps.

Step 100, when the card reading terminal receives the instruction sent from a host, the card reading terminal determines type of an instruction, if the instruction is a secure channel establishing instruction, execute Step S101, if the instruction is a card communicating instruction, execute Step S104.

Step 101, the card reading terminal determines whether a secure channel is established, if yes, sends information that secure channel is established successfully to the host, go back to Step S100; otherwise, execute Step S102.

Preferably, in Step 101, acquiring original card data specifically includes: the card reading terminal judges whether a first type card data exists in the secure channel establishing instruction, if yes, determines the original card data according to the first type card data, otherwise, receives the first type card data input.

Preferably, in Step 101, acquiring original card data specifically comprises: the card reading terminal acquires a second type card data from the secure channel establishing instruction, computes the second type card data to obtain original card data.

Step 102, the card reading terminal acquires card parameter of a card, determines an objective identification according to the card parameter, acquires a function package corresponding to the objective identification, acquires original card data; obtains a derived key according to a preset second parameter package, the original card data and the function package, acquires cipher text of random data from the card, obtains card random data by decrypting the cipher text of random data according to the derived key; generates random data package; obtains mapping data package according to the card random data, the random data package, a preset first parameter package and the function package; updates the first parameter package according to the mapping data package; obtains a session key package according to the random data package, the updated first parameter package and the second parameter package; execute Step S03;

Preferably, acquiring the original card data specifically comprises: the card reading terminal determines type of original card data according to the secure channel establishing instruction, if the type is a first type, determines the original card data according to a first type card data; if the type is a second type, determines the original card data according to a second type card data.

Further, that the card reading terminal determines type of the original card data according to the secure channel establishing instruction specifically is: the card reading terminal determines type of original card data according to datum of a preset byte in the secure channel establishing instruction, if the datum of the preset byte is a sixth preset data, the type of original card data is a first type; if the datum of the preset byte is a seventh preset data, the type of original card data is a second type.

Further, determining the original card data according to the first type card data specifically is: the card reading terminal receives a first type card data input, codes the first type card data to obtain the original card data.

Further, receiving the first type card data input specifically includes: the card reading terminal prompts inputting a first type card data, receives and displays the first type card data synchronously.

Further, determining the original card data according to the first type card data specifically is: the card reading terminal receives a first type card data from the secure channel establishing instruction, if the first type card data can be acquired from the secure channel establishing instruction, records the first type card data as original card data.

Further, the method further includes: if the first type card data cannot be acquired from the secure channel instruction, the card reading terminal receives the first type card data input, codes the first type card data to obtain the original card data.

Further receiving the first type card data input includes: the card reading terminal prompts inputting the first type card data, receives and displays the first type card data synchronously.

Further, acquiring the original card data specifically includes: the card reading terminal acquires a second type card data from the secure channel establishing instruction, computes the second type card data to obtain original card data.

Preferably, acquiring the original card data specifically includes: the card reading terminal receives the first type card data input, codes the first type card data to obtain the original card data.

Further, receiving the first type card data input specifically is: the card reading terminal prompts inputting the first type card data, receives and displays the first type card data input synchronously.

Preferably, Step 102 further includes: the card reading terminal sends a document selecting instruction to the card, determines type of a document selecting response, if the type is correct response, executes acquiring card parameter; if the type is error response, sends error reporting information to the host, waits for receiving a new instruction sent from the host, then goes back to Step 100.

Preferably, in Step 102, determining an objective identification according to the card parameter specifically includes: the card reading terminal sends a parameter acquiring instruction to the card, acquires card object identification zone data from a parameter acquiring response returned from the card, acquires a preset terminal objective identification list; determines an objective identification according to the card object identification zone data and the terminal objective identification list, acquires a function package corresponding to the determined objective identification.

Further, determining an objective identification according to the card object identification zone data and the terminal objective identification list, acquiring a function package corresponding to the determined objective identification specifically is: the card reading terminal determines an objective identification list according to the card object identification zone data and the terminal objective identification list, selects an objective identification, acquires a function package corresponding to the selected objective identification.

Preferably, in Step 102, before acquiring the original card data, the method further comprises: the card reading terminal sends an objective identification instruction including an objective identification to the card; and when receiving an objective identification response, executes acquiring original card data.

Step 103, the card reading terminal obtains a terminal authenticated token according to the session key package and the function package; reads a card authenticated token from the card according to the terminal authenticated token, judges whether the secure channel is established successfully according to the terminal authenticated token and the card authenticated token, if yes, identifies that secure channel is established and obtains a secure session key according to the session key package and stores the secure session key; sends information that establishing secure channel is successful to the host, goes back to Step S100, otherwise, sends information that establishing secure channel is failed to the host, then goes back to Step 100.

Preferably, in Step 103, reading the card authenticated token from the card according to the terminal authenticated token specifically is: the card reading terminal organizes an authenticated token exchanging instruction, sends the authenticated token exchanging instruction to the card; when receiving an authenticated token exchanging response returned from the card, obtains the card authenticated token from the authenticated token exchanging response.

Preferably, in Step 103, determining whether a secure channel is established successfully according to the card authenticated token and the terminal authenticated token specifically is: the card reading terminal determines whether the card authenticated token and the terminal authenticated token are identical, if yes, a secure channel is established successfully; otherwise, a secure channel is established unsuccessfully.

Step 104, the card reading terminal determines whether the secure channel is established, if yes, goes to Step 105, otherwise executes standard communication between terminal and card, then goes back to Step 100.

Step 105, the card reading terminal acquires card communication data from the card communicating instruction; acquires a stored secure session key; uses the secure session key to encrypt the card communication data to obtain cipher text of the card communication data, sends the cipher text of the card communication data to the card; uses the secure session key to decrypt a cipher text of card communication response sent from the card to obtain a card communication response, returns the card communication response to the host, then goes back to Step 100.

In Embodiment 1, the working method further includes: when detecting that the card leaves field, the card reading terminal identifies that the secure channel is not established.

Preferably, in Embodiment 1, Step 102 includes the following steps.

Corresponding, Step M01, the card reading terminal sends a parameter acquiring instruction; determines an objective identification according to a parameter acquiring response returned by the card, acquires a function package corresponding to the objective identification; and acquires original card data.

Correspondingly, Step M02, the card reading terminal obtains a derived key according to a preset second parameter package, the original card data and the function package; reads cipher text of random data from the card; and uses the derived key to decrypt the cipher text of random data so as to obtain card random data.

Further, in Step M02, that the card reading terminal obtains a derived key according to a preset second parameter package, the original card data and the function package specifically is: the card reading terminal takes a first preset parameter and the original card data as parameters to invoke a key derivation function in the function package to obtain the derived key.

Further, in Step M02, reading the cipher text of the random data from the card specifically is: the card reading terminal sends a random number exchanging instruction to the card; when receiving a random number exchanging response returned from the card, acquires the cipher text of random data form the random exchanging response.

Correspondingly, Step M03, the card reading terminal generates a first random data in the random data package; obtains a first terminal public key according to the first random data, a preset first parameter package and the function package; reads a first card public key from the card according to the first terminal public key; obtains a first mapping data package according to the first card public key, the first random data, the card random data, the first parameter package and the function package, and updates the first parameter package according to the first mapping data package.

Further, in Step M03, obtaining a first terminal public key according to the first random data, a preset first parameter package and the function package specifically is: the card reading terminal takes the first random data, the preset first parameter package as parameters to invoke a key generating function in the function package so as to obtain a first terminal public key.

Further, in Step M03, reading the first card public key from the card according to the first terminal public key specifically is: the card reading terminal organizes a first public key exchanging instruction according to the first terminal public key; sends the first public key exchanging instruction to the card; when receiving a first public key exchanging response returned from the card, acquires the first card public key from the first public key exchanging response.

Further, in Step M03, obtaining a first mapping data package according to the first card public key, the first random data, the card random data, the first parameter package and the function package specifically is: the card reading terminal obtains a first shared key according to the first card public key, the first random data, the first parameter package and the function package to obtain a first shared key; obtains a first mapping data package according to the card random data, the first random data, the first shared key and the function package.

Further, that the card reading terminal obtains a first shared key according to the first card public key, the first random data, the first parameter package and the function package to obtain the first shared key specifically is: the card reading terminal takes the first card public key, the first random data and the first parameter package as parameters to invoke a key negotiating function in the function package so as to obtain the first shared key.

Further, obtaining a first mapping data package according to the card random data, the first random data, the first shared key and the function package specifically is: the card reading terminal takes the card random data, the first random data, the first shared key and the function package as parameters to invoke a mapping function in the function package so as to obtain a first mapping data package.

Further, the mapping function is a universal mapping function or an authentication mapping function.

Further, Step M03 is substituted by: the card reading terminal generates a first random data in the random data package, obtains a second mapping data package according to the first random data, the card random data, a preset first parameter package and the function package; updates the first parameter package according to the second mapping data package.

Further, obtaining a second mapping data package according to the first random data, the card random data, a preset first parameter package and the function package; updating the first parameter package according to the second mapping data package specifically is: the card reading terminal takes the card random data and the first random data as parameters to invoke a pseudorandom function to obtain pseudorandom data; takes the pseudorandom data and a preset first parameter package as parameters to invoke a mapping function in the function package to obtain a second mapping data package; updates the first parameter package according to the second mapping data package; the mapping function is a composite mapping function.

Further, Step M03 specifically includes: the card reading terminal organizes a random data transferring instruction according to the first random data, sends the random data transferring instruction to the card; when receiving a random data transferring response, obtains a second mapping data package according to the first random data, the card random data, a preset first parameter package and the function package; updates the first parameter package according to the second mapping data package.

Correspondingly, Step M04, the card reading terminal generates a second random data in the random data package; obtains a second terminal public key according to the second random data, the updated first parameter package and the function package; reads a second card public key from the card according to the second terminal public key; obtains a second shared key according to the second card public key, the second random data, the updated first parameter package and the function package.

Further, in Step M04, obtaining the second terminal public key according to the second random data, the updated first parameter package and the function package specifically is: the card reading terminal takes the second random data and the updated first parameter as parameters to invoke a key generating function in the function package so as to obtain the second terminal public key.

Further, in Step M04, reading a second card public key from the card according to the second terminal public key specifically is: the card reading terminal organizes a second public key exchanging instruction according to the second terminal public key, sends the second public key exchanging instruction to the card; when receiving a second public key exchanging response returned from the card, and obtains a second card public key from the second public key exchanging response.

Further, in Step M04, obtaining a second shared key according to the second card public key, the second random data, the updated first parameter package and the function package specifically is: the card reading terminal takes the second card public key, the second random data and the updated first parameter package as parameters to invoke the key negotiating function in the function package to obtain the second shared key.

Correspondingly, Step M05: the card reading terminal obtains a session key package according to the second parameter package, the second shared key and the function package.

Further, Step M05 specifically is: the card reading terminal takes a second preset parameter in the second parameter package and the second shared key as parameters to invoke a key derivation function in the function package to obtain a first session key in the session key package; takes a third preset parameter in the second parameter package and the second shared key as parameters to invoke a key derivation function in the function package so as to obtain a second session key in the session key package.

Further, in Step 103, obtaining a terminal authenticated token according to the session key package and a function package specifically is: the card reading terminal invokes a token function in the function package according to the first session key in the session key package to obtain a terminal authenticated token.

Further, in Step 103, obtaining a secure session key according to the session key package and storing the secure session key specifically is: the card reading terminal takes a second session key in the session key package as a secure session key and stores the secure session key.

Embodiment 2

Embodiment 2 provides a working method of card reading terminal; as shown in FIG. 2 and FIG. 3 , the method includes the following steps.

Step 201, when receiving an instruction sent from a host, the card reading terminal determines type of the instruction, if the instruction is a secure channel establishing instruction, execute Step 202; if the instruction is a card communicating instruction, execute Step 218.

Preferably, Step 201 specifically is: when receiving an instruction sent from a host, the card reading terminal obtains data from the first byte to the fourth byte and data of the sixth byte in the instruction, determines type of the instruction according to the data from the first byte to the fourth byte and data of the sixth byte, if the data from the first byte to the fourth byte is a first preset data and data of the sixth byte is a second preset data, the instruction is a secure channel establishing instruction, execute Step 202, otherwise the instruction is a card communicating instruction, execute Step 218.

For example, when receiving an instruction, i.e. 0xFFC201200C020900020006303130363234, sent from a host, the card reading terminal obtains data from the first byte to the fourth byte and data of the sixth byte in the instruction, determines type of the instruction according to the data from the first byte to the fourth byte and data of the sixth byte, if the data from the first byte to the fourth byte is the first preset data, i.e. 0xFFC20120, and data of the sixth byte is the second preset data i.e. 0x02, the instruction is a secure channel establishing instruction, execute Step 202, otherwise the instruction is a card communicating instruction, execute Step 218.

Step 202, the card reading terminal judges whether a secure channel is established according to a preset identification, if yes, sends a successful establishing response to the host and waits for receiving a new instruction, go back to Step 201; otherwise, execute Step 203.

In Embodiment 2, the card reading terminal presets a preset identification, which is for identifying whether a secure channel is established.

Preferably, Step 202 specifically is: the card reading terminal determines type of the preset identification, if the preset identification is a fourth preset data which means that a secure channel is established, the card reading terminal sends a successful establishing response to the host, waits for receiving a new instruction sent from the host, go back to Step 201; if the preset identification is a fifth preset data which means that a secure channel is not established, execute Step 203.

For example, the card reading terminal determines type of the preset identification, if the preset identification is a fourth preset data 0x01 which means that a secure channel is established, the card reading terminal sends a successful establishing response to the host, waits for receiving a new instruction sent from the host; if the preset identification is a fifth preset data 0x00 which means that a secure channel is not established, execute Step 203.

Preferably, Step 202 specifically is: the card reading terminal judges whether a preset identification is equal to a fourth preset data, if yes, it means that a secure channel is established, the card reading terminal sends a successful establishing response to the host, waits for receiving a new instruction sent from a host, go back to Step 201; if no, it means that a secure channel is not established, execute Step 203.

Preferably, Step 202 specifically is: the card reading terminal judges whether a preset identification is set, if yes, it means that a secure channel is established, the card reading terminal sends a successful establishing response to the host, waits for receiving a new instruction sent from a host, go back to Step 201; if no, it means that a secure channel is not established, execute Step 203.

Preferably, Step 202 specifically is: the card reading terminal judges whether set data of the preset identification is equal to a fifth preset data, if yes, it means that a secure channel is not established, execute Step 203; if no, it means that a secure channel is established, the card reading terminal sends a successful establishing response to the host, waits for receiving a new instruction sent from a host, then goes back to Step 201.

Preferably, the working method in Embodiment 2 further includes: if the card reading terminal detects that the card left the field, the card reading terminal sets the set data of the preset identification to be a fifth preset data.

Step 203, the card reading terminal determines type of original card data according to the secure channel instruction establishing instruction, if the type is a first type, execute Step 205; if the type is a second type, execute Step 204.

In Embodiment 2, if the type of the original card data is a first type, in the following step, original card data is obtained according to a first type of card data, if the type of the original card data is a second type, in the following step, original card data is obtained according to a second type card data; the first type of card data printed or marked on the card when the card leaves factory is used as an original factor subsequently for attending process of establishing a secure channel between the card reading terminal and the card; the second type of card data printed or marked on the card, for example, the card is an identity card which can be read by the card reading terminal, when the card leaves factory, the second type of card data is used as an original factor subsequently for attending process of establishing a secure channel between the card reading terminal and the card.

Preferably, Step 203 specifically is: the card reading terminal acquires a sixth preset byte data from the secure channel establishing instruction, judges type of the six preset byte data, if the type is a sixth preset data, the original card data is the first type, execute Step 205; if the type is a seventh preset data, the original card data is the second type, execute Step 204.

Further, Step 203 specifically is: the card reading terminal acquires a ninth byte of data in the secure channel establishing instruction and takes the acquired ninth byte of data as a sixth preset byte data, judges type of the sixth preset byte data, if the type is sixth preset data, the original card data is the first type, execute Step 205; if the type is a seventh preset data, the original card data is a second type, execute Step 204.

For example, the card reading terminal acquires a ninth byte of data in the secure channel establishing instruction and takes the acquired ninth byte of data as a sixth preset byte data, judges type of the sixth preset byte data 0x02, if the type is sixth preset data, the original card data is the first type, execute Step 205; if the type is a seventh preset data 0x01, the original card data is the second type, execute Step 204.

Step 204, the card reading terminal acquires a second type card data from the secure channel establishing instruction, computes the second type card data to obtain the original card data; execute Step 208.

For example, in Step 204 of the present Embodiment 2, if the secure channel establishing instruction is 0xFFC2012060025D0001005A493C55544F443233313435383930373C3C3C3C3C 3C3C3C3C3C3C3C3C3C3C37343038313232463132303431353955544F3C3C3C3 C3C3C3C3C3C3C3C364552494B53534F4E3C3C414E4E413C4D415249413C3C3 C3C3C3C3C3C3C3C,

-   -   the second type card data is:         I<UTOD231458907<<<<<<<<<<<<<<<7408122F1204159UTO<<<<<<<<<<<6ERIK         SSON<<ANNA<MARIA<<<<<<<<<<,     -   of which the example data in hexadecimal is:         0x493C55544F443233313435383930373C3C3C3C3C3C3C3C3C3C3C3C3C3C3C         37343038313232463132303431353955544F3C3C3C3C3C3C3C3C3C3C3C364552         494B53534F4E3C3C414E4E413C4D415249413C3C3C3C3C3C3C3C3C3C.

Preferably, Step 204 specifically is: the card reading terminal acquires a second type card data from the secure channel establishing instruction, performs sha-1 operation on the second type card data to obtain the original card data; execute Step 208.

Preferably, the second type card data can be formed by a sequence number, a birth data and an expiration date.

Step 205, the card reading terminal judges whether a first type card data exists in the secure channel establishing instruction, if yes, execute Step 206; if no, execute Step 207.

Preferably, before Step 205, the method further includes: the card reading terminal powers up, performs initializing; executes card inquiring operating; sends ART data to the host; connects the card when receiving a card connecting instruction sent from the host, sends a successful connecting response to the host.

Further, before Step 205, the method further includes: the card reading terminal communicates with the host via USB interface.

Further, before Step 205, the method further includes: the card reading terminal communicates with the host via Bluetooth.

Preferably, Step 205 specifically is: the card reading terminal acquires a third preset byte data from the secure channel establishing instruction, judges whether original card data exists in the secure channel establishing instruction according to the third preset byte data and a third preset data, if yes, execute Step 206; if no, execute Step 207.

Further, Step 205 specifically is: the card reading terminal acquires a third preset byte data from the secure channel establishing instruction, judges whether the third preset byte data is equal to a third preset data, if yes, it means that a first type card data exists in the secure channel establishing instruction, execute Step 206; if no, it means that a first type card data does not exist in the secure channel establishing instruction, execute Step 207.

Further, Step 205 specifically is: the card reading terminal acquires data of the fifth byte of the secure channel establishing instruction and takes the data of the fifth byte of the secure channel establishing instruction as a third preset byte data, judges whether the third preset byte data is equal to a third preset data, if yes, it means that a first type card data exists in the secure channel establishing instruction, execute Step 206; if no, it means that a first type card data does not exist in the secure channel establishing instruction, execute Step 207.

For example, the card reading terminal acquires data of the fifth byte of the secure channel establishing instruction and takes the data of the fifth byte of the secure channel establishing instruction as a third preset byte data, judges whether the third preset byte data is equal to a third preset data 0x0C, if yes, it means that a first type card data exists in the secure channel establishing instruction, execute Step 206; if no, it means that a first type card data does not exist in the secure channel establishing instruction, execute Step 207.

Step 206, the card reading terminal obtains original card data from the secure channel establishing instruction, execute Step 208.

Preferably, Step 206 specifically is: the card reading terminal acquires the last six bytes of data of the secure channel establishing instruction and takes the last six bytes of data of the secure channel establishing instruction as the original card data; execute Step 207.

For example, the card reading terminal acquires the last six bytes of data, i.e. 0x303130363234 of the secure channel establishing instruction 0xFFC201200C020900020006303130363234 and takes 0x303130363234 as the original card data; execute Step 207.

Preferably, Step 206 further includes: the card reading terminal stores the original card data.

Step 207, the card reading terminal prompts a user to input a first type card data; converts the first type card data to obtain the original card data when receiving the first type card data, execute Step 208.

For example, the secure channel establishing instruction is 0xFFC2012006020300020000, Step 208 is executed.

Preferably, Step 207 specifically is: the card reading terminal prompts the user to input the first type card data via the card reading terminal; converts the decimal first type card data into hexadecimal data to obtain original card data when receiving the first type card data input, then executes Step 208.

In Embodiment 2, the card reading terminal has function of inputting, which includes many input ways, for example, voice input, keyboard input, input by scanning two dimension code, input by scanning number marked on the card, etc.

For example, the card reading terminal prompts the user to input a first type card data 010624 via the card reading terminal; when receiving the type card data 010624 input, the card reading terminal converts the decimal first type card data 010624 into hexadecimal data to obtain original card data 0x303130363234, execute Step 208.

Preferably, Step 207 further includes: the card reading terminal displays the first type card data input; in this case, when the user input the data via the keyboard the input data will be displayed via a display screen, which is easy for the user to check and amend the first type card data input.

For example, the card reading terminal displays the input first type card data 010624.

Preferably, Step 207 further includes: when the card reading terminal does not receive original card data, the card reading terminal sends information of error reporting to the host.

Preferably, Step 207 further includes: the card reading terminal stores the original card data.

Step 208, the card reading terminal sends a card selecting instruction to the card, when receiving a document selecting response from the card, the card reading terminal determines type of the document selecting response, if the type is a first type response, execute Step 209; if the type is a second type response, sends information of error reporting to the host, waits for receiving a new instruction sent from the host, then goes back to Step 201.

Preferably, Step 208 specifically is: the card reading terminal sends a document selecting instruction to the card, when receiving a document selecting response from the card, the card reading terminal judges type of the document selecting response, if the type is correct response, execute Step 209; if the type is error response, send information of error reporting to the host, waits for receiving a new instruction sent from the host, then goes back to Step 201.

For example, the card reading terminal sends a document selecting instruction 0x00A4020C02011C to the card, when receiving a document selecting response from the card, the card reading terminal judges type of the document selecting response, if the type is correct response 0x9000, execute Step 209; if the type is error response 0x00, sends information of error reporting to the host, waits for receiving a new instruction sent from the host, go back to Step 201.

Step 209, the card reading terminal sends a parameter acquiring instruction; when receiving a parameter acquiring response returned from the card, the card reading terminal determines an objective identification and a corresponding function package according to the parameter acquiring response; the function package includes a key derivation function, a mapping function, a key generating function, a key negotiating function and a token function.

Preferably, Step 209 specifically is: the card reading terminal sends a parameter acquiring instruction; when receiving a parameter acquiring response returned from the card, acquires card object identification zone data from the parameter acquiring response, acquires a preset terminal objective identification list; determines an objective identification according to the card object identification zone data and the terminal objective identification list, acquires a function package corresponding to the determined objective identification; the function package includes a key derivation function, a mapping function, a key generating function, a key negotiating function and a token function.

Preferably, Step 209 specifically is: the card reading terminal sends a parameter acquiring instruction; when receiving a parameter acquiring response returned from the card, acquire card object identification zone data from the parameter acquiring response, acquires a preset terminal objective identification list; determines an objective identification list according to the card object identification zone data and the terminal objective identification list, selects an objective identification from the objective identification list, acquires a function package corresponding to the selected objective identification; the function package includes a key derivation function, a mapping function, a key generating function, a key negotiating function and a token function.

In Step 209, when the mapping function is a second function type, the function package further includes a pseudorandom function.

In Step 209, in case that an objective identification list is determined according to the card object identification zone data and the terminal objective identification list, the common part of the card object identification zone data and the terminal objective identification list construct the objective identification list.

For example, in Step 209, the mapping function is the first function type, i.e. a universal function, the card reading terminal sends a parameter acquiring instruction 0x0060000000 to the card; when receiving a parameter acquiring response, i.e. 0x3170300D0608 04007F000702010201 0101300F060A04007F000702010302010201013012060A04007F00070201040201 02010201010D3012060A04007F0007020104020102010201010D3012060A04007F 000702010401020101020101003012060A04007F000702010401010201020101009 000, returned from the card, the card reading terminal acquires card object identification zone data from the parameter acquiring response, acquires a preset terminal objective identification list; determines an objective identification list according to the card object identification zone data and the terminal objective identification list, selects an objective identification from the objective identification list, acquires a function package corresponding to the selected objective identification; the function package includes a key derivation function, a mapping function, a key generating function, a key negotiating function and a token function.

Step 210, the card reading terminal organizes an objective identification instruction according to the objective identification, sends the objective identification instruction to the card; when receiving an objective identification response, acquires the original card data; takes a first preset parameter and the original card data as parameter and invokes the derivation function in the function package to obtain a derived key.

For example, the card reading terminal organizes an objective identification instruction 0x0022C1A412800A04007F00070201040 20183010284010D according to the objective identification, sends the objective identification instruction 0x0022C1A412800A04007F000702010 4020183 010284010D to the card; when receiving an objective identification response 0x9000, acquires the original card data 0x303130363234, takes a first preset parameter and the original card data 0x303130363234 as parameter and invokes the derivation function SHA-1 in the function package to obtain a derived key.

Preferably, Step 210 specifically is: the card reading terminal organizes an objective identification instruction according to the objective identification, sends the objective identification instruction to the card; when receiving an objective identification response, acquires the original card data; processes the original card data to obtain card processing data; takes a first preset parameter and the original card data as parameter and invokes the derivation function in the function package to obtain a derived key.

Further, the card reading terminal organizes an objective identification instruction according to the objective identification, sends the objective identification instruction to the card; when receiving an objective identification response, acquires the original card data; codes the original card data to obtain card processing data; takes a first preset parameter and the original card data as parameters and invokes the derivation function in the function package to obtain a derived key.

Step 211, the card reading terminal sends a random number exchanging instruction to the card; when receiving a random number exchanging response returned from the card, acquires cipher text of random data from the random number exchanging response, uses the derived key to decrypt the cipher text of random data to obtain card random data; generates a first random data; checks type of the mapping function in the function package, if the mapping function is a first mapping function, execute Step 212; if the mapping function is a second mapping function, execute Step 213.

In Embodiment 2, the first mapping function is universal mapping function or authentication mapping function; the second mapping function is composite mapping function.

For example, in Embodiment 2, for example, the mapping function is a first mapping function, the card reading terminal sends a random number exchanging function 0x10860000027C00 to the card; when receiving a random number exchanging response 0x7C1280102E7 E0A0A6644E81F48 B5472D3DB36E139000 returned from the card, acquires cipher text of random data from the random number exchanging response, uses the derived key to decrypt the cipher text of random data to obtain card random data; generates a first random data 0x60BC0DBD4 0B045E711A420F570AA3F9434D308F07D752FA7661545160EF33FA9, checks type of the mapping function in the function package, if the mapping function is a first mapping function, execute Step 212; if the mapping function is a second mapping function, execute Step 213.

Step 212, the card reading terminal takes the first random data and a preset first parameter package as parameters to invoke the key generating function in the function package to obtain a first terminal public key; organizes a first public key exchanging instruction according to the first terminal public key; sends the first public key exchanging instruction to the card; when receiving a first public key exchanging response returned from the card, obtains a first card public key from the first public key exchanging response; takes the first card public key, the first random data and the first parameter package as parameters to invoke the key negotiating function in the function package to obtain a first shared key; takes the card random data, the first random data and the first shared key as parameters to invoke the first mapping function to obtain a first mapping data package; updates the first parameter package according to the first mapping data package; execute Step 214.

In Embodiment 2, the first parameter package is formed by an eleventh preset data, a twelfth preset data, a thirteenth preset data and a fourteenth preset data; updating the first parameter package in a following step is updating the thirteenth preset data and the fourteenth preset data in the first parameter package.

For example, the card reading terminal takes the first random data and the first parameter package as parameters to invoke the key generating function in the function package to obtain the first terminal public key 0x6AE356BD23F037A0AAC863434D9E0A094021FDOCAOA3B51940 45BE 9D9638815246C23032CC91182B1EC93EF87ED94F02D2EC950F5FCA7A34760A3 A065D 15C22B; organizes a first public key exchanging instruction 0x108600004570438141046AE356BD23F 037A0AAC863434 D9E0A094021FDOCA0A3B5194045BE9D96388152460230320091182B1E 093EF87ED94F02D2E0950F5FCA7A34760A3A065D15022B according to the first terminal public key0x6AE356BD23F037A0AAC863434D9E0A094021 FDOCA0A3 B5194 045BE9D96388 15246C23032CC91182B1EC93EF87ED94F02D2EC950F5FCA7A34760A3A065D1 50228; sends the first public key exchanging instruction to the card;

-   -   when receiving a first public key exchanging response         0x704382410484F4C7389E0FC7414 8908964012         D2638743727E596C309CAE27E06F2C1681D3F33E97D8E5CAECFF68D6EEFC         CDEB9FF58D17FD1BDO4ED480DE887AE82700A90AB9000 returned from the         card, obtains a first card public key         0x84F407389E0F0741489089B4012D2638743727E59603090AE27E06F20         1681D3F33E97D8E5CAECFF68D6EEFCCDEB9FF58D17FD1BDO4ED480DE887A         E82700A90AB from the first public key exchanging response;     -   takes the first card public key, the first random data and the         first parameter package as parameters to invoke the key         negotiating function in the function package to obtain a first         shared key         0x510F0B20F1A0B7E3B7573D2F4B69BF9E5D436D16B9502210E7F1226A3525         DF2232D7         FABD0AD6EC2BOEF15F8713273136BED230DACBDE106138352EE46E44E9E8,         and     -   takes the card random data, the first random data and the first         shared key as parameters to invoke the first mapping function to         obtain a first mapping data package0xA749C5589BBE2E82D6         9618F6F50604F7805E         B8524BE3167352351795FD3D16B225BD7BE4B504B6C3E6697FF1EA52906FD2CAE3CE45DACCE6CE12DCF973520E22,         updates the first parameter package according to the first         mapping data package; execute Step 214.

Step 213, the card reading terminal organizes a random data transferring instruction according to the first random data, sends the random data transferring instruction to the card; when receiving a random data transferring response returned from the card, takes the card random data and the first random data as parameters to invoke the pseudorandom function in the function package to obtain pseudorandom data; takes the pseudorandom data and the first parameter package as parameters to invoke the second mapping function to obtain a second mapping data package; updates the first parameter package according to the second mapping data package; then executes Step 214.

In Embodiment 2, the function package further includes a pseudorandom function.

Step 214, the card reading terminal generates a second random data; takes the second random data and the updated first parameter package as parameters to invoke the key generating function in the function package to obtain a second terminal public key; organizes a second public key exchanging instruction according to the second terminal public key, sends the second public key exchanging instruction to the card; when receiving a second public key exchanging response returned from the card, the card reading terminal obtains a second card public key from the second public key exchanging response; takes the second card public key, the second random data and the updated first parameter package to invoke the key negotiating function in the function package to obtain a second shared key.

For example, the card reading terminal generates a second random data0x3F0614AA70D17AD566164105679370A31BF03542 49D41E1268334B59576A6CC6,

-   -   takes the second random data and the updated first parameter         package as parameters to invoke the key generating function in         the function package to obtain a second terminal public key         0x1C0F         55127C7A66916E49C94E3BE653A718C290F492051178443ADEE98141AD2D95         DF34518573 CEC44312B65BA27FD731413B99E6FB7D39DB944A88DA0D0B359D,     -   organizes a second public key exchanging instruction according         to the second terminal public key, sends the second public key         exchanging instruction to the card;     -   when receiving a second public key exchanging response         0x70438441041687E96D86940942 647F3FD7DC7         DECF2F762F3B3F1F45B523243FAB762D6A3979EBBFBD7FB37FBBCF25D         654DD2FBF1BF6333815B657F83E10127153396BF099A9000 returned from         the card, the card reading terminal obtains a second card public         key0x1687E96D86940942647F3FD7DC7DECF2F         762F3B3F1F45B523243FAB762D6A3979EBBFBD7FB37FBBCF25D654DD2FBF1B         F6333815 B65783E1C127153396BFC99A from the second public key         exchanging response 0x7043844104         1687E96D86940942647F3FD7DC7DECF2F762F3B3F1F45B523243FAB762D6A39         79EBBFBD7FB37FBBCF25D654DD2FBF1BF6333815B657F83E10127153396BF0         99A9000; and     -   takes the second card public key, the second random data and the         updated first parameter package to invoke the key negotiating         function in the function package to obtain a second shared key         0x931D69E50F71F2 E F84B527BA3F5335A6740DF592227F56C2 D944696         E81A1BBA30E87C3 A0788002650D10D349E1E2         D4C18C3B6E8C76316ACB27143E79FFC76D97.

Step 215, the card reading terminal takes a second preset parameter and the second shared key as parameters to invoke the key derivation function in the function package to obtain a first session key; takes a third preset parameter and the second shared key as parameters to invoke the key derivation function in the function package so as to obtain a second session key.

Step 216, the card reading terminal obtains a terminal authenticated token according to the token function in the function package according to the first session key; organizes an authenticated token exchanging instruction according to the terminal authenticated token, sends the authenticated token exchanging instruction to the card; when receiving an authenticated token exchanging response returned from the card, obtains a card authenticated token from the authenticated token exchanging response, determines whether a secure channel is established successfully according to the card authenticated token and the terminal authenticated token, if the secure channel is established successfully, execute Step 217; if the secure channel is established unsuccessfully, sends information that the secure channel is established unsuccessfully to the host, waits for receiving a new instruction from the host, then goes back to Step 201.

Preferably, Step 216 specifically is: the card reading terminal takes the second preset parameter and the second shared key as parameters to invoke the key derivation function in the function package to obtain a first session key; takes the third preset parameter and the second shared key as parameters to invoke the key derivation function in the function package to obtain a second session key; invokes the token function in the function package according to the first session key to obtain the terminal authenticated token; invokes the token function in the function package according to the first session key to obtain the terminal authenticated token; organizes the authenticated token exchanging instruction according to the terminal authenticated token, sends the authenticated token exchanging instruction to the card; when receiving an authenticated token exchanging response from the card, the card reading terminal obtains the card authenticated token from the authenticated token exchanging response, judges whether the card authenticated token and the terminal authenticated token are identical, if yes, it means that the secure channel is established successfully, execute Step 217; otherwise, it means that the secure channel is established unsuccessfully, waits for receiving a new instruction from the host, then goes back to Step 201.

For example, the card reading terminal takes the second preset parameter and the second shared key as parameters to invoke the key derivation function in the function package to obtain a first session key; takes the third preset parameter and the second shared key as parameters to invoke the key derivation function in the function package to obtain a second session key; invokes the token function in the function package according to the first session key to obtain the terminal authenticated token; invokes the token function in the function package according to the first session key to obtain the terminal authenticated token; organizes the authenticated token exchanging instruction 0x008600000C7C0A8508A18E3DA1A1B5398C according to the terminal authenticated token, sends the authenticated token exchanging instruction to the card; when receiving an authenticated token exchanging response 0x7C0A86089CE08195081051E69000 from the card, the card reading terminal obtains the card authenticated token from the authenticated token exchanging response, judges whether the card authenticated token and the terminal authenticated token are identical, if yes, it means that the secure channel is established successfully, execute Step 217; otherwise, it means that the secure channel is established unsuccessfully, waits for receiving a new instruction from the host, then goes back to Step 201.

Step 217, the card reading terminal sets a preset identification as a fourth preset data; stores the second session key as secure session key, sends information that secure channel is established successfully to the host, waits for receiving a new instruction from the host, go back to Step 201;

For example, the card reading terminal sets the second session key as secure session key, sends information that a secure channel is established successfully to the host, waits for receiving a new instruction from the host, then goes back to Step 201.

Step 218, the card reading terminal judges whether a secure channel is established according to a preset identification, if yes, execute Step 219; otherwise, execute Step 220.

Step 219, the card reading terminal obtains card communication data from a card communicating instruction; obtains the stored secure session key, encrypts the card communication data by using the secure session key to obtain cipher text of the card communication data, sends the card communication data to the card; when receiving cipher text of a card communicating response, decrypts cipher text of the card communicating response by using the secure session key to obtain a card communicating response, sends the card communicating response to the host, waits for receiving a new instruction sent from the host, then goes back to Step 201.

Step 220, the card reading terminal sends a card communicating instruction to the card, when receiving a card communicating response sent from the card, sends a card communicating response to the host, waits for receiving a new instruction sent from the host, then goes back to Step 201.

Embodiment 3

Embodiment 3 provides a card reading terminal, as shown in FIG. 4 , the card reading terminal includes: a receiving module 301, a first determining module 302, a first judging module 303, a first acquiring module 304, a second determining module 305, a second acquiring module 306, a third acquiring module 307, a first obtaining module 308, a fourth acquiring module 309, a first decrypting module 310, a generating module 311, a second obtaining module 312, an updating module 313, a third obtaining module 314, a fourth obtaining module 315, a reading module 316, a second judging module 317, an identifying module 318, a fifth obtaining module 319, a third judging module 320, an executing module 321, a fifth acquiring module 322, a sixth acquiring module 323, an encrypting module 324, a second decrypting module 325 and a sending module 326;

-   -   the receiving module 301 is configured to receive an instruction         sent from a host;     -   the first determining module 302 is configured to determine type         of the instruction received by the receiving module 301;     -   the first judging module 303 is configured to judge whether a         secure channel is established if the first determining module         302 determines that the type of the instruction is secure         channel establishing instruction;     -   the sending module 326 is configured to send information that         secure channel is established successfully to the host if the         first judging module 303 judges that a secure channel is         established;     -   the first acquiring module 304 is configured to acquire card         parameter of a card if the first judging module 303 judges that         a secure channel is not established; and     -   the second determining module 305 is configured to determine an         objective identification according to the card parameter         acquired by the first acquire module 304.

Preferably, the second determining module 305 specifically is configured to send a parameter acquiring instruction to the card, acquire card object identification zone data from a parameter acquiring response returned from the card, acquire a preset terminal objective identification list; determine an objective identification according to the card object identification zone data and the terminal objective identification list, acquire a function package corresponding to the determined objective identification.

Further, that the second determining module 305 is configured to determine an objective identification according to the card object identification zone data and the terminal objective identification list specifically is: the second determining module 305 is configured to determine an objective identification list according to the card object identification zone data and the terminal objective identification list, select an objective identification from the objective identification list, acquire a function package corresponding to the selected objective identification.

The second acquiring module 306 is configured to acquire a function package corresponding to the objective identification determined by the second determining module 305; and

-   -   the third acquiring module 307 is configured to acquire original         card data.

Preferably, the third acquiring module 307 is specifically configured to determine type of original card data according to the secure channel establishing instruction, if the type is a first type, determine the original card data according to a first type card data; if the type is a second type, determine the original card data according to a second type card data.

That the third acquiring module 307 is configured to determine type of original card data according to the secure channel establishing instruction specifically is: the third acquiring module 307 is configured to determine type of original card data according to datum of a preset byte in the secure channel establishing instruction, if the datum of the preset byte is a sixth preset data, the type of original card data is a first type; if the datum of the preset byte is a seventh preset data, the type of original card data is a second type,

Further, that the third acquiring module 307 is configured to determine the original card data according to a first type card data specifically is: the third acquiring module 307 is configured to receive a first type card data input, code the first type card data to obtain the original card data.

Further, that the third acquiring module 307 is configured to determine the original card data according to a first type card data specifically is: the third acquiring module 307 is configured to acquire a first type card data from the secure channel establishing instruction, to record the first type card data as original card data if the first type card data can be acquired from the secure channel establishing instruction.

Further, that the third acquiring module 307 further is configured to receive a first type card data input, code the first type card data to obtain the original card data if the first type card data cannot be acquired from the secure channel establishing instruction.

Further, that the third acquiring module 307 is configured to determine the original card data according to a second type card data specifically is: the third acquiring module 307 is configured to acquire a second type card data from the secure channel establishing instruction, compute the second type card data to obtain the original card data.

Preferably, the third acquiring module 307 is specifically configured to receive a first type card data input, code the first type data to obtain the original card data.

Preferably, the third acquiring module 307 specifically is configured to judge whether a first type card data exists in the secure channel establishing instruction, if yes, determine the original card data according to the first type card data, otherwise, receiving the first type card data input.

Preferably, the third acquiring module 307 specifically is configured to acquire a second type card data from the secure channel establishing instruction, compute the second type card data to obtain original card data.

In the present embodiment 3, that the third acquiring module 307 is configured to receive a first type card data input specifically is: the third acquiring module 307 is configured to prompt inputting a first type card data, receive and display the first type card data input synchronously.

The first obtaining module 308 is configured to obtain a derived key according to a preset second parameter package, the original card data obtained by the third acquiring module 307 and the function package acquired by the second acquiring module 306.

The fourth acquiring module 309 is configured to acquire cipher text of random data from the card.

The first decrypting module 310 is configured to obtain card random data by decrypting the cipher text of random data acquired by the fourth acquiring module 309 according to the derived key acquired by the first obtaining module 308.

The generating module 311 is configured to generate random number data package.

The second obtaining module 312 is configured to obtain mapping data package according to the card random data obtained by the first decrypting module 310, the random data package generated by the generating module 311, a preset first parameter package and the function package acquired by the second acquiring module 306.

The updating module 313 is configured to update the first parameter package according to the mapping data package obtained by the second obtaining module 312.

The third obtaining module 314 is configured to obtain a session key package according to the random data package, the first parameter package updated by the updating module 313 and the second parameter package.

The fourth obtaining module 315 is configured to obtain a terminal authenticated token according to the session key package obtained by the third obtaining module 314 and the function package acquired by the second acquiring module 306.

The reading module 316 is configured to read a card authenticated token from the card according to the terminal authenticated token obtained by the fourth obtaining module 315.

The second judging module 317 is configured to judge whether the secure channel is established successfully according to the terminal authenticated token read by the reading module 316 and the card authenticated token obtained by the fourth obtaining module 315.

The identifying module 318 is configured to identify that secure channel is established if the judging result of the second judging module 317 is yes.

The fifth obtaining module 319 is configured to obtain a secure session key according to the session key package obtained by the third obtaining module 314 and store the secure session key if the judging result of the second judging module 317 is yes.

The sending module 326 is further configured to send information that establishing secure channel is successful to the host if the fifth obtaining module 319 obtains the secure session key and stores the secure session key.

The sending module 326 is further configured to send information that establishing secure channel is failed to the host if the judging result of the second judging module 317 is no.

The third judging module 320 is configured to judging whether the secure channel is established if the first determining module 302 determines that type of the instruction is card communicating instruction.

The executing module 321 is configured to execute standard communication between terminal and card if the judging result of the third judging module is no,

The fifth obtaining module 322 is configured to obtain card communication data from the card communicating instruction.

The sixth obtaining module 323 is configured to obtain the stored secure session key.

The encrypting module 324 is configured to use the secure session key to encrypt the card communication data to obtain cipher text of the card communication data if the judging result of the third judging module 320 is yes.

The sending module 326 is further configured to send the cipher text of the card communication data encrypted by the encrypting module 324 to the card.

The second decrypting module 325 is configured to use secure session key acquired by the sixth acquiring module 323 to decrypt a cipher text of card communication response sent from the card to obtain a card communication response.

The sending module 326 is further configured to return the card communication response obtained by decrypting performed by the second decrypting module 325 back to the host.

The identifying module 318 is further configured to identify that the secure channel is not established when detecting that the card leaves field.

Preferably, the sending module 326 is further configured to send a document selecting instruction to the card.

Correspondingly, the fourth judging module is configured to judge type of a document selecting response returned from the card.

Correspondingly, the first acquiring module 304 is specifically configured to acquire card parameter if the fourth judging module judges that the type of the document selecting response returned from the card is correct response.

Correspondingly, the sending module 326 is further configured to send error reporting information to the host, wait for receiving a new instruction sent from the host if the fourth judging module judges that the type of the document selecting response returned from the card is error response.

Preferably, the third obtaining module 307 is further configured to send an objective identification instruction comprising the objective identification; when receiving an objective identification response, acquire the acquired original card data.

Preferably, the sending module 326 is further configured to send a parameter acquiring instruction to the card.

Correspondingly, the first acquiring module 304 specifically is configured to acquire a parameter acquiring response returned from the card if the first judging module 303 judges that the secure channel is not established.

Correspondingly, the second determining module 305 specifically is configured to determine an objective identification according to a parameter acquiring response returned from the card.

Correspondingly, the generating module 311 comprises a first generating unit and a second generating unit.

Correspondingly, the first generating unit is configured to generate a first random data in a random data package.

Correspondingly, the second obtaining module 312 specifically is configured to obtain a first terminal public key according to the first random data generated by the first generating unit, a preset first parameter package and the function package acquired by the second acquiring module 306; read a first card public key from the card according to the first terminal public key; obtain a first mapping data package according to the first card public key, the first random data generated by the first generating unit, the card random data acquired by the fourth acquiring module 309, the first parameter package and the function package acquired by the second acquiring module 306.

Correspondingly, the updating module 313 specifically is configured to update the first parameter package according to the first mapping data package acquired by the second obtaining module 312.

Correspondingly, the second generating unit is configured to generate a second random data in the random data package.

Correspondingly, the third obtaining module 314 specifically is configured to obtaining a second terminal public key according to the second random data acquired by the second generating unit, the first parameter package updated by the updating module 313 and the function package acquired by the second acquiring module 306; read a second card public key from the card according to the second terminal public key; obtaining a second shared key according to the second card public key, the second random data generated by the second generating unit, the first parameter package updated by the updating module 313 and the function package acquired by the second acquiring module 306; obtain a session key package according to the second parameter package, the second shared key and the function package acquired by the second acquiring module 306.

Further, the first obtaining module 308 specifically is configured to take a first preset parameter in a preset second parameter package and the original card data acquired by the third acquiring module 307 as parameters and invoke the derivation function in the function package acquired by the second acquiring module 306 to obtain a derived key.

Further, the fourth acquiring module 309 specifically is configured to send a random number exchanging instruction to the card; when receiving a random number exchanging response returned from the card, to acquire cipher text of random data from the random number exchanging response.

Further, that the second obtaining module 312 is configured to obtain a first terminal public key according to the first random data generated by the first generating unit, a preset first parameter package and the function package acquired by the second acquiring module 306 specifically is: the second obtaining module 312 is configured to take the first random data and a preset first parameter package as parameters to invoke the key generating function in the function package to obtain a first terminal public key.

Further, that the second obtaining module 312 is configured to read a first card public key from a card according to the first terminal public key specifically includes: the second obtaining module 312 organizes a first public key exchanging instruction according to the first terminal public key; send the first public key exchanging instruction to the card; when receiving a first public key exchanging response returned from the card, to acquire a first card public key from the first public key exchanging response.

Further, that the second obtaining module 312 is configured to obtain a first mapping data package according to the first card public key, the first random data generated by the first generating unit, the card random data acquired by the fourth acquiring module 309, the first parameter package and the function package acquired by the second acquiring module 306 specifically is: the second obtaining module 312 is configured to obtain a first shared key according to the first card public key, the first random data generated by the first generating unit, a first parameter and the function package acquired by the second acquiring module 306; obtain a first mapping data package according to the card random data acquired by the fourth acquiring module 309, the first random data generated by the first generating unit, the first shared key and the function package acquired by the second acquiring module 306.

Further, that the second obtaining module 312 is configured to obtain a first shared key according to the first card public key, a first random data generated by the first generating unit, a first parameter and the function package acquired by the second acquiring module 306 specifically is: the second obtaining module 312 is configured to take the first card public key, the first random data generated by the first generating unit and the first parameter package as parameters to invoke the negotiating function in the function package acquired by the second acquiring module 306 to obtain the first shared key.

Further, that the second obtaining module 312 is configured to obtain a first mapping data package according to the first card public key, the first random data generated by the first generating unit, the first parameter package and the function package acquired by the second acquiring module 306 specifically is: the second obtaining module 312 is configured to take the card random data acquired by the fourth acquiring module 309, the first random data generated by the first generating unit and the first shared key as parameters to invoke the mapping function in the function package acquired by the second acquiring module 306 to obtain the first mapping data package; preferably, the mapping function is a universal mapping function or a authentication mapping function.

Further, the second acquiring module 312 further is configured to obtain a second mapping data package according to the first random data generated by the first generating unit, the card random data acquired by the fourth acquiring module 309, a preset first parameter package and the function package acquired by the second acquiring module 306.

Further and correspondingly, the updating module 313 is further configured to update the first parameter package according to the second mapping data package obtained by the second obtaining module 312.

Further, that the second acquiring module 312 is configured to obtain a second mapping data package according to the first random data generated by the first generating unit, the card random data acquired by the fourth acquiring module 309, a preset first parameter package and the function package acquired by the second acquiring module 306 specifically is: second acquiring module 312 is configured to take the card random data acquired by the fourth acquiring module 309 and the first random data as parameters to invoke the pseudorandom function in the function package acquired by the second acquiring module to obtain pseudorandom data; take the pseudorandom data and the first parameter package as parameters to invoke the mapping function in the function package acquired by the second acquiring module 306 to obtain a second mapping data package; the mapping function is a composite mapping function.

Further, the second acquiring module 312 is further configured to organize a random data transferring instruction according to the first random data generated by the first generating unit, send the random data transferring instruction to the card; when receiving a random data transferring response returned from the card, to take the card random data and the first random data as parameters to obtain a second mapping data package according to the first random data generated by the first generating unit, the card random data, a preset first parameter package and the function package acquired by the second acquiring module 306.

Further, in Step M04, obtaining the second terminal public key according to the second random data, the updated first parameter package and the function package specifically is: the card reading terminal 300 takes the second random data and the updated first parameter as parameters to invoke a key generating function in the function package so as to obtain the second terminal public key.

Further, that the third obtaining module 314 is configured to read a second card public key from the card according to the second terminal public key specifically is: the third obtaining module 314 is configured to organize a second public key exchanging instruction according to the second terminal public key, send the second public key exchanging instruction to the card; when receiving a second public key exchanging response returned from the card, to obtain a second card public key from the second public key exchanging response.

Further, that the third obtaining module 314 is configured to obtain a second shared key according to the second card public key, the second random data generated by the second generating unit, the first parameter package updated by the updating module 313 and the function package acquired by the second acquiring module 306 specifically is: the third obtaining module 314 is configured to take the second card public key, the second random data generated by the second generating unit and the first parameter package updated by the updating module 313 to invoke the key negotiating function in the function package acquired by the second acquiring module 306 to obtain the second shared key.

Further, that the third obtaining module 314 is configured to obtain a session key package according to the second parameter package, the second shared key and the function package acquired by the second acquiring module 306 specifically is: the third obtaining module 314 is configured to take a second preset parameter in the second parameter package and the second shared key as parameters to invoke the key derivation function in the function package acquired by the second acquiring module 306 to obtain a first session key in the session key package; to take a third preset parameter in the second parameter package and the second shared key as parameters to invoke the key derivation function in the function package acquired by the second acquiring module 306 to obtain the second session key in the session key package.

Further, the fourth obtaining module 315 specifically is configured to invoke the token function in the function package acquired by the second acquiring module 303 according to the first session key in the session key package obtained by the third obtaining module 314 so as to obtain the terminal authenticated token.

Further, the fifth obtaining module 319 specifically is configured to take the second session key in the session key package obtained by the third obtaining module 314 as a secure session key and store the secure session key.

Preferably, the reading module 316 is specifically configured to organize an authenticated token exchanging instruction according to the terminal authenticated token obtained by the fourth obtaining module 315, send the authenticated token exchanging instruction to the card; when receiving an authenticated token exchanging response returned from the card, to obtain the card authenticated token from the authenticated token exchanging response.

Preferably, the second determining module 317 specifically is configured to determine whether the card authenticated token read by the reading module 316 and the terminal authenticated token acquired by the fourth acquiring module 315 are identical, if yes, it means that a secure channel is established successfully; otherwise, it means that a secure channel is established unsuccessfully.

The above descriptions are only preferred specific embodiments of the present application, but the scope of protection of the present application is not limited thereto. Any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in the present application should be included in the scope of protection of the present application. Therefore, the scope of protection of the present application should be subject to the appended claims. 

1. A working method of a card reading terminal, comprising the following steps: S00), determining, by the card reading terminal, type of an instruction when the card reading terminal receives the instruction sent from a host, if the instruction is an instruction for establishing a secure channel, executing Step S01, if the instruction is an instruction for card communicating, executing Step S04; S01) judging, by the card reading terminal, whether the secure channel is established, if yes, sending information that the secure channel is established successfully to the host, going back to Step S00, otherwise, executing Step S02; S02) acquiring, by the card reading terminal, a card parameter of a card, determining an objective identification according to the card parameter, acquiring a function package corresponding to the objective identification, acquiring original card data; obtaining a derived key according to a preset second parameter package, the original card data and the function package, acquiring cipher text of random data from the card, obtaining card random data by decrypting the cipher text of random data according to the derived key; generating a random data package; obtaining a mapping data package according to the card random data, the random data package, a preset first parameter package and the function package; updating the first parameter package according to the mapping data package; obtaining a session key package according to the random data package, the updated first parameter package and the second parameter package; then executing Step S03; S03) obtaining, by the card reading terminal, a terminal authenticated token according to the session key package and the function package; reading a card authenticated token from the card according to the terminal authenticated token, judging whether the secure channel is established successfully according to the terminal authenticated token and the card authenticated token, if yes, identifying that secure channel is established and obtaining a secure session key according to the session key package and storing the secure session key; sending information that establishing secure channel is successful to the host, then going back to Step S00, otherwise, sending information that establishing secure channel is failed to the host, then going back to Step S00, S04) judging, by the card reading terminal, whether the secure channel is established, if yes, executing Step S05; otherwise executing standard communication between the terminal and the card, then going back to Step S00, and S05) acquiring, by the card reading terminal, card communication data from the instruction for card communicating; acquiring the secure session key stored previously; using the secure session key to encrypt the card communication data so as to obtain cipher text of the card communication data, sending the cipher text of the card communication data to the card; using the secure session key to decrypt a cipher text of a card communication response sent from the card so as to obtain a card communication response, returning the card communication response to the host, the going back to Step S00, the working method further comprises: when detecting that the card leaves a field, identifying, by the card reading terminal, that the secure channel is not established.
 2. The working method of claim 1, wherein acquiring original card data specifically comprises: determining, by the card reading terminal, type of the original card data according to the instruction for establishing a secure channel, if the type is a first type, determining the original card data according to a first type card data; while if the type is a second type, determining the original card data according to a second type card data; determining, by the card reading terminal, type of the original card data according to the instruction for establishing a secure channel specifically comprises: determining, by the card reading terminal, type of the original card data according to a datum of a preset byte in the instruction for establishing a secure channel, if the datum of the preset byte is a sixth preset data, the type of the original card data is a first type; while if the datum of the preset byte is a seventh preset data, the type of original card data is a second type; determining the original card data according to the first type card data specifically comprises: receiving, by the card reading terminal, a first type card data input, coding the first type card data so as to obtain the original card data; or, receiving, by the card reading terminal, a first type card data from the instruction for establishing a secure channel, if the first type card data can be acquired from the instruction for establishing a secure channel, recording the first type card data as the original card data; determining the original card data according to the second type card data specifically comprises: acquiring, by the card reader terminal, the second type card data from the instruction for establishing a secure channel, and computing the second type card data so as to obtain the original card data.
 3. The working method of claim 1, wherein acquiring original card data specifically comprises: receiving, by the card reading terminal, a first type card data input, and coding the first type card data so as to obtain the original card data.
 4. The working method of claim 1, wherein in Step S01, acquiring the original card data specifically comprises: judging, by the card reading terminal, whether first type card data exists in the instruction for establishing a secure channel, if yes, determining the original card data according to the first type card data, otherwise, receiving the first type card data input.
 5. The working method of claim 1, wherein in Step S01, acquiring the original card data specifically comprises: acquiring, by the card reading terminal, second type card data from the instruction for establishing a secure channel, and computing the second type card data so as to obtain the original card data.
 6. The working method of claim 1, wherein Step S02 further comprises: sending, by the card reading terminal, an instruction for selecting document to the card, judging type of a document selecting response returned from the card, if the type is a correct response, executing the acquiring card parameter; if the type is an error response, sending error reporting information to the host, waiting for receiving a new instruction sent from the host, then going back to Step S00.
 7. The working method of claim 1, wherein in Step S02, determining an objective identification according to the card parameter specifically comprises: sending, by the card reading terminal, an instruction for acquiring parameter to the card, acquiring card object identification zone data from a parameter acquiring response returned from the card, acquiring a preset terminal objective identification list; determining an objective identification according to the card object identification zone data and the terminal objective identification list, acquiring a function package corresponding to the determined objective identification.
 8. The working method of claim 1, wherein in Step S02, before acquiring the original card data, the method further comprises: sending to the card, by the card reading terminal, an objective identification instruction comprising the objective identification; when receiving an objective identification response, executing the acquiring the acquired original card data.
 9. The working method of claim 1, wherein Step S02 comprises the following steps: M01), sending, by the card reading terminal, an instruction for acquiring parameter to the card; determining an objective identification according to a parameter acquiring response returned from the card, acquiring a function package corresponding to the objective identification; and acquiring the original card data; M02) obtaining, by the card reading terminal, a derived key according to a preset second parameter package, the original card data and the function package; reading the cipher text of the random data from the card; using the derived key to decrypt the cipher text of the random data so as to obtain card random data; M03) generating, by the card reading terminal, first random data in the random data package; obtaining a first terminal public key according to the first random data, a preset first parameter package and the function package; reading a first card public key from the card according to the first terminal public key; obtaining a first mapping data package according to the first card public key, the first random data, the card random data, the first parameter package and the function package, and updating the first parameter package according to the first mapping data package; M04) generating, by the card reading terminal, second random data in the random data package; obtaining a second terminal public key according to the second random data, the updated first parameter package and the function package; reading a second card public key from the card according to the second terminal public key; and obtaining a second shared key according to the second card public key, the second random data, the updated first parameter package and the function package; and M05) obtaining, by the card reading terminal, a session key package according to the second parameter package, the second shared key and the function package.
 10. The working method of claim 9, wherein in Step M02, reading the cipher text of the random data from the card specifically comprises: sending, by the card reading terminal, an instruction for exchanging random number to the card; when receiving the random number exchanging response returned from the card, obtaining the cipher text of the random data from the random number exchanging response.
 11. A card reading terminal, comprising: a module for receiving, a first module for determining, a first module for judging, a first module for acquiring, a second module for determining, a second module for acquiring, a third module for acquiring, a first module for obtaining, a fourth module for acquiring, a first module for decrypting, a module for generating, a second module for obtaining, a module for updating, a third module for obtaining, a fourth module for obtaining, a module for reading, a second module for judging, a module for identifying, a fifth module for obtaining, a third module for judging, a module for executing, a fifth module for acquiring, a sixth module for acquiring, a module for encrypting, a second module for decrypting and a module for sending; the module for receiving is configured to receive an instruction sent from a host; the module for first determining is configured to determine type of the instruction received by the module for receiving; the first module for judging is configured to judge whether a secure channel is established if the first module for determining determines that the type of the instruction is an instruction for building a secure channel; the module for sending is configured to send information that a secure channel is established successfully to the host if the first module for judging judges that the secure channel is established; the first module for acquiring is configured to acquire a card parameter of the card if the first module for judging judges that the secure channel is not established; the second module for determining is configured to determine an objective identification according to the card parameter acquired by the first module for acquiring; the second module for acquiring is configured to acquire a function package corresponding to the objective identification determined by the second module for determining; the third module for acquiring is configured to acquire original card data; the first module for obtaining is configured to obtain a derived key according to a preset second parameter package, the original card data obtained by the third module for acquiring and the function package acquired by the second module for acquiring; the fourth module for acquiring is configured to acquire a cipher text of random data from the card; the first module for decrypting is configured to obtain the card random data by decrypting the cipher text of random data acquired by the fourth module for acquiring according to the derived key acquired by the first module for obtaining; the module for generating is configured to generate a random data package; the second module for obtaining is configured to obtain a mapping data package according to the card random data obtained by the first module for decrypting, the random data package generated by the module for generating, a preset first parameter package and the function package acquired by the second module for acquiring; the module for updating is configured to update the first parameter package according to the mapping data package obtained by the second module for obtaining; the third module for obtaining is configured to obtain a session key package according to the random data package, the first parameter package updated by the module for updating, and the second parameter package; the fourth module for obtaining is configured to obtain a terminal authenticated token according to the session key package obtained by the third module for obtaining and the function package acquired by the second module for acquiring; the module for reading is configured to read a card authenticated token from the card according to the terminal authenticated token obtained by the fourth module for obtaining; the second module for judging is configured to judge whether the secure channel is established successfully according to the terminal authenticated token read by the module for reading and the card authenticated token obtained by the fourth module for obtaining; the module for identifying is configured to identify that secure channel is established if a judging result of the second module for judging is yes; the fifth module for obtaining is configured to obtain a secure session key according to the session key package obtained by the third module for obtaining and store the secure session key if the judging result of the second module for judging is yes; the module for sending is further configured to send information that establishing the secure channel is successful to the host if the fifth module for obtaining obtains the secure session key and stores the secure session key; the module for sending is further configured to send information that establishing the secure channel is failed to the host if the judging result of the second judging module is no; the third module for judging is configured to judging whether the secure channel is established if the first module for determining determines that type of the instruction is an instruction for card communicating; the module for executing is configured to execute a standard communication between a terminal and the card if a judging result of the third module for judging is no; the fifth module for obtaining is configured to obtain card communication data from the instruction for card communicating; the sixth module for obtaining is configured to obtain the stored secure session key; the module for encrypting is configured to use the secure session key to encrypt the card communication data so as to obtain a cipher text of the card communication data if the judging result of the third module for judging is yes; the module for sending is further configured to send the cipher text of the card communication data encrypted by the module for encrypting to the card; the second module for decrypting is configured to use the secure session key acquired by the sixth module for acquiring to decrypt a cipher text of a card communication response sent from the card so as to obtain the card communication response; the module for sending is further configured to return the card communication response decrypted by the second module for decrypting back to the host; and the module for identifying is further configured to identify that the secure channel is not established when detecting that the card leaves a field.
 12. The card reading terminal of claim 11, wherein the third module for acquiring is specifically configured to determine a type of the original card data according to the instruction for building a secure channel, if the type is a first type, determining the original card data according to a first type card data; while if the type is a second type, determining the original card data according to a second type card data, that the third module for acquiring is configured to determine a type of the original card data according to the instruction for establishing a secure channel specifically is: the third module for acquiring is configured to determine the type of the original card data according to a datum of a preset byte in the instruction for building a secure channel, if data of the preset bytes are sixth preset data, the type of the original card data is a first type; while if data of the preset bytes are seventh preset data, the type of the original card data is a second type, that the third module for acquiring is configured to determine the original card data according to the first type card data specifically is: the third module for acquiring is configured to receive the first type card data input, code the first type card data so as to obtain the original card data; or, to acquire first type card data from instruction for building a secure channel, to record the first type card data as the original card data if the first type card data can be acquired from the instruction for building a secure channel; and that the third module for acquiring is configured to determine the original card data according to the second type card data specifically is: the third module for acquiring is configured to acquire the second type card data from the instruction for building a secure channel, and compute the second type card data so as to obtain the original card data.
 13. The card reading terminal of claim 11, wherein the third module for acquiring specifically is configured to receive the first type card data input, code the first type card data so as to obtain the original card data.
 14. The card reading terminal of claim 11, wherein the third module for acquiring specifically is configured to judge whether the first type card data exist in the instruction for building a secure channel, if yes, determining the original card data according to the first type card data, otherwise, receiving the first type card data input.
 15. The card reading terminal of claim 11, wherein the third module for acquiring specifically is configured to acquire the second type card data from the instruction for building a secure channel, and compute the second type card data so as to obtain the original card data.
 16. The card reading terminal of claim 11, wherein the module for sending is further configured to send an instruction for selecting a document to the card; the fourth module for judging is configured to judge a type of a document selecting response returned from the card; the first module for acquiring is specifically configured to acquire a card parameter if the fourth module for judging judges that the type of the document selecting response returned from the card is a correct response; and the module for sending is further configured to send error reporting information to the host, and wait for receiving a new instruction sent from the host if the fourth module for judging judges that the type of the document selecting response returned from the card is an error response.
 17. The card reading terminal of claim 11, wherein the second module for determining specifically is configured to send an instruction for acquiring parameter to the card, acquire card object identification zone data from a parameter acquiring response returned from the card, acquire a preset terminal objective identification list; determine an objective identification according to the card object identification zone data and the terminal objective identification list, and acquire a function package corresponding to the determined objective identification.
 18. The card reading terminal of claim 11, wherein the third module for obtaining is further configured to send an objective identification instruction comprising the objective identification to the card; and when receiving an objective identification response, acquiring the acquired original card data.
 19. The card reading terminal of claim 11, wherein the module for sending is further configured to send an instruction for acquiring parameter to the card; the first module for acquiring specifically is configured to acquire a parameter acquiring response returned from the card if the first module for judging judges that the secure channel is not established; the second module for determining specifically is configured to determine an objective identification according to a parameter acquiring response returned from the card; the module for generating comprises a first unit for generating and a second unit for generating; the first unit for generating is configured to generate first random data in a random data package; the second module for obtaining specifically is configured to obtain a first terminal public key according to the first random data generated by the first unit for generating, a preset first parameter package and the function package acquired by the second module for acquiring; read a first card public key from the card according to the first terminal public key; and obtain first mapping data package according to the first card public key, the first random data generated by the first unit for generating, the card random data acquired by the fourth module for acquiring, the first parameter package and the function package acquired by the second module for acquiring; the module for updating specifically is configured to update the first parameter package according to the first mapping data package acquired by the second module for obtaining; the second unit for generating is configured to generate second random data in the random data package; the third module for obtaining specifically is configured to obtain a second terminal public key according to the second random data acquired by the second unit for generating, the first parameter package updated by the module for updating and the function package acquired by the second module for acquiring; read a second card public key from the card according to the second terminal public key; obtain a second shared key according to the second card public key, the second random data generated by the second unit for generating, the first parameter package updated by the module for updating and the function package acquired by the second module for acquiring; and obtain a session key package according to the second parameter package, the second shared key and the function package acquired by the second module for acquiring.
 20. The card reading terminal of claim 19, wherein the fourth module for acquiring specifically is configured to send an instruction for exchanging random number to the card; and when receiving a random number exchanging response returned from the card, obtaining the cipher text of the random data from the random number exchanging response. 